refactor(examples): bump sdk-go to v0.9.0 and rename Tenant to Domain#20
Merged
refactor(examples): bump sdk-go to v0.9.0 and rename Tenant to Domain#20
Conversation
- Bump go-jwks and go-jwks-multi to sdk-go v0.9.0 with Go 1.25.9 toolchain - Rename Tenant to Domain across go-jwks-multi main.go, claims, env vars, and docs per sdk-go #25 - Rename ISSUER_TENANTS environment variable to ISSUER_DOMAINS - Update testissuer to emit the domain claim and accept ?domain= query parameter - Add /api/admin endpoint to go-jwks demonstrating Domains, ServiceAccounts, and Projects allowlists Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the Go JWKS-based resource-server examples to sdk-go v0.9.0 and migrates the “Tenant” partition concept to the new “Domain” terminology, including docs and the local multi-issuer test token minting tool.
Changes:
- Bump
github.com/go-authgate/sdk-gotov0.9.0ingo-jwks/andgo-jwks-multi/(and update Gogo.moddirectives accordingly). - Rename multi-issuer example configuration and claims vocabulary from tenant → domain (
ISSUER_DOMAINS,domainclaim, allowlists). - Add
/api/adminroute togo-jwksto demonstratejwksauth.AccessRuleallowlists beyond scopes, and expand README endpoint/rule documentation.
Reviewed changes
Copilot reviewed 9 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| go-jwks/main.go | Adds /api/admin route protected by jwksauth.AccessRule and includes domain in profile response. |
| go-jwks/go.mod | Bumps Go directive and sdk-go dependency version. |
| go-jwks/go.sum | Updates sdk-go checksums for v0.9.0. |
| go-jwks/README.md | Documents /api/admin and clarifies allowlist semantics and updated scope-check API. |
| go-jwks-multi/main.go | Renames tenant→domain concepts across env/config, routing allowlists, and JSON responses. |
| go-jwks-multi/go.mod | Bumps Go directive and sdk-go dependency version. |
| go-jwks-multi/go.sum | Updates sdk-go checksums for v0.9.0. |
| go-jwks-multi/README.md | Updates docs from tenant→domain and environment variable names. |
| go-jwks-multi/.env.example | Renames ISSUER_TENANTS→ISSUER_DOMAINS and updates explanatory comments. |
| go-jwks-multi/testissuer/main.go | Updates minted claim/query param from tenant→domain and updates printed env block. |
| go-jwks-multi/testissuer/README.md | Updates all usage/scenarios from tenant→domain. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… doc comment - Add domain to /api/admin response for parity with go-jwks and the README claim - Reword top doc comment so it does not imply every handler enforces every claim allowlist Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Revert go directive to 1.25.8 in go-jwks and go-jwks-multi for consistency with the rest of the repo (go-httpretry was pruned by tidy and 1.25.9 is no longer required) - Replace stale accessRule and v.middleware references in go-jwks-multi README with the actual jwksauth.AccessRule and jwksauth.Middleware symbols - Capitalize Domains struct field in the fail-closed bullet to match exported Go field naming Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Allowlist (Domain/ServiceAccount/Project) rejects produce a generic 401, but scope failures produce 403 insufficient_scope with details — call this out in the AccessRule comment so it does not read as if every reject is a 401. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The handler started returning the domain claim, but the README sample still omitted it. Mirror the actual handler shape and note that the field is empty when AuthGate does not emit a domain claim. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 11 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adopt sdk-go v0.9.0 in
go-jwks/andgo-jwks-multi/, mirroring the breaking rename in go-authgate/sdk-go#25: the partition concept formerly calledTenantis nowDomain, and the new optionalTenantfield is reserved for an in-Domain sub-room (unused by these examples).go-jwks-multi: renameSetIssuerTenants→SetIssuerDomains,IssuerTenants→IssuerDomains,AccessRule.Tenants→AccessRule.Domains,Claims.Tenant→Claims.Domain, JSON response keytenant→domain. Env varISSUER_TENANTS→ISSUER_DOMAINS.testissuermints thedomainclaim and accepts?domain=query param. Comments, README, and.env.examplereworded to the new vocabulary.go-jwks: no SDK API surface used the rename. The intermediate v0.8.0 of sdk-go pulledappleboy/go-httpretry@v0.12.0(which requires Go 1.25.9) and forced agodirective bump while migrating, butgo mod tidyagainst v0.9.0 prunes that transitive dep, so the final state stays ongo 1.25.8for consistency with the rest of the repo./api/adminexample: added togo-jwks/main.goto demonstrate the previously-unshownAccessRulefields (Domains,ServiceAccounts,Projects); README updated with the endpoint table, curl example, response sample, and a note on AND-combined fail-closed semantics.AI Authorship
.env.example,testissuerupdates)./api/adminroute + handler ingo-jwks/main.go.Change classification
Verification
go build ./...clean in bothgo-jwks/andgo-jwks-multi/.go vet ./...clean in both.tenantacross both example dirs (excluding.env,go.sum) returns zero matches — no stale references.go run ./testissuer+ the resource server locally, minted a token with?domain=oa&sa=sync-bot@oa.local&project=admin-tools&scope=email+profile, and confirmed/api/profile,/api/data,/api/adminall return 200; cross-domain (?domain=swrdfrom auth-a) returns 401 with the expecteddomain="swrd" allowed=[oa hwrd]server log line.Migration impact (for users following these examples)
ISSUER_TENANTSenv var →ISSUER_DOMAINS— local.envfiles need updating.tenant→domainon the multi example's/api/profileand/api/dataresponses.?tenant=→?domain=; emitted JWT claim is nowdomain(nottenant).go.mod: stays ongo 1.25.8— same minimum as the other example modules in this repo.Test plan
cd go-jwks && GOTOOLCHAIN=auto go build ./... && GOTOOLCHAIN=auto go vet ./...cd go-jwks-multi && GOTOOLCHAIN=auto go build ./... && GOTOOLCHAIN=auto go vet ./...go-jwks-multi/testissuer+ resource server, mint token with?domain=oa&..., confirm 200 on the three protected routes.?domain=swrd, confirm 401 withissuer not permitted for this domainserver log.🤖 Generated with Claude Code